Description
ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.
Published: 2026-04-24
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises because ERB's deserialization guard was installed separately for result and run methods but omitted from public methods that also evaluate source code such as def_method, def_module and def_class. An attacker who can supply untrusted data to Marshal.load can instantiate an ERB object and then invoke def_module (or the other two methods) to execute arbitrary Ruby code. The missing guard permits the eval of the ERB source without checking the initialization flag, leading to remote code execution. This falls under CWE-502 (Deserialization of Untrusted Data) and CWE-693 (Improper Handling of Security-relevant Manipulation).

Affected Systems

Systems that use Ruby 2.7.0 with ERB versions older than 4.0.3.1, 4.0.4.1, 6.0.1.1 or 6.0.4 are affected. The vulnerability is present in any environment where the erb gem is loaded and an attacker can trigger Marshal.load on untrusted input. The patch is available in ERB 4.0.3.1 and later, including 4.0.4.1, 6.0.1.1, 6.0.4, so any Ruby application that depends on an older erb gem carries this risk.

Risk and Exploitability

With a CVSS score of 8.1 the vulnerability poses a high severity. The EPSS score is under 1%, indicating low current exploitation probability, and the issue is not listed in CISA KEV. The attack requires the ability to deserialize arbitrary ERB objects. If an attacker can deliver untrusted Marshal data, they can immediately obtain code execution through def_module, def_method or def_class. Due to the need for deserialization access, the likelihood in production environments is limited but not negligible. Therefore, any exposed surfaces that accept serialized data must be scrutinized, and upgrading to a patched gem is the recommended mitigation.

Generated by OpenCVE AI on April 28, 2026 at 07:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ERB gem to at least 4.0.3.1, 4.0.4.1, 6.0.1.1, or 6.0.4 to fix the deserialization guard bypass.
  • Restrict deserialization to trusted data sources to eliminate the possibility of loading malicious ERB objects.
  • Remove or sanitize calls to ERB#def_module, ERB#def_method, and ERB#def_class in code paths that handle externally supplied inputs.

Generated by OpenCVE AI on April 28, 2026 at 07:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q339-8rmv-2mhv ERB has an @_init deserialization guard bypass via def_module / def_method / def_class
History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ruby
Ruby erb
Vendors & Products Ruby
Ruby erb

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 24 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). However, three other public methods that also evaluate `@src` via `eval()` were not given the same guard: `ERB#def_method`, `ERB#def_module`, and `ERB#def_class`. An attacker who can trigger `Marshal.load` on untrusted data in a Ruby application that has `erb` loaded can use `ERB#def_module` (zero-arg, default parameters) as a code execution sink, bypassing the `@_init` protection entirely. ERB 4.0.3.1, 4.0.4.1, 6.0.1.1, and 6.0.4 patch the issue.
Title ERB has an @_init deserialization guard bypass via def_module / def_method / def_class
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ruby Erb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-25T01:45:43.173Z

Reserved: 2026-04-20T14:01:46.671Z

Link: CVE-2026-41316

cve-icon Vulnrichment

Updated: 2026-04-25T01:45:39.369Z

cve-icon NVD

Status : Deferred

Published: 2026-04-24T03:16:11.897

Modified: 2026-04-29T20:56:50.103

Link: CVE-2026-41316

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-24T02:35:41Z

Links: CVE-2026-41316 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:25:23Z

Weaknesses